The Internet provides a forum in which consumers and merchants can engage in electronic shopping from globally diverse locations with absolute availability. The Internet continues to capture a growing share of retail business, as evidenced by the tremendous increase in online business-to-consumer transactions over the past several years.
Along with this growth, however, comes a demand by consumers for secure online payment methods. Most online businesses only accept credit cards for payment, and so the sensitive financial and personal data contained on a credit card is broadcast over the Internet; i.e., through multiple computer systems providing the means to read or capture the data. For this reason, prospective online purchasers remain reluctant to provide credit card information via the Internet, thus risking interception of the data for exploitative and criminal purposes by hackers.
Some have attempted to address these issues with various inventions intended to secure the financial and monetary data relevant to the transactions. In general, three categorical approaches to security exist: encryption of the data, utilization of a single, authenticated channel for the transaction, or utilization of proprietary hardware devices.
The first category, encrypted data, traditionally involves encoding the data themselves prior to transmission across a public communications network, and decoding the data when the transmission completes. One such scheme, private key, depends on a single secret known only to the consumer and the merchant. Another scheme, public key, publishes one key and maintains another key as confidential. The requirement in each scheme for a unique key for each user results in literally millions of encryption keys, and, therefore, a great potential for lost, stolen, or counterfeit keys increases.
The greater the degree of security that a particular encryption algorithm provides, however, the greater the degree of the processing effort and resource utilization is required to complete the transaction. Conversely, protocol requiring minimal security is quite susceptible to decoding by a hacker. In general, all encryption carries the potential for a hacker to break the code, and the more extensive the use of the protocol, the more the opportunity for the hacker to observe the patterns of the encryption and decode the algorithm. Thus, various encryption protocols maintain the security of the data only for until such a time as a hacker breaks the code.
Some encryption methods use a combination of networks to complete a transaction. First, the method transmits the encrypted data over a public network for portions of the transaction associated with a low security risk, then shifts the data to a private network to perform portions of the transaction with very high potentials of security failure. Of course, this method restricts purchases to those merchants associated with the provider of the private network. Similarly, Internet transactions involving the electronic withdrawal of funds from a bank account for online payment also require a third-party gatekeeper to route the consumer's payment information over a private network to the financial institution, send the encrypted payment information on a second private network to the merchant, and then divert data pertaining to the remainder of the transaction to the consumer via the Internet. Alternatively, a security method may combine use of a packetized network, such as the Internet, and a switched network, such as the telephone network for voice transmission. U.S. Pat. No. 5,729,594 to Klingman discloses such a method.
Although these combined security methods decrease the risk of infiltration, they restrict the online shopping opportunities for the consumer to those online banks and merchants available via the gatekeeper. In addition, the costs associated with utilizing both private and public networks in combination greatly increase the cost of the online transactional business.
The second category of security involves the configuration of a personal computer system of a consumer and a computer system of a merchant with proprietary hardware devices that cooperate to encode and decode the data for transmittal over the Internet. The smart card, a small plastic card encoded with various data, is a primary example of this technology. The Smart card provides a means by which the consumer can easily transport the card; however, current configurations require the use of a propriety smart card reader device attached to the personal computer of the consumer. U.S. Pat. No. 5,870,473 to Boesch, et al. discloses an example of this method. This method of security generally requires, at a minimum, a proprietary card reader by all consumers and all merchants using a particular card. These devices are costly, system dependent, and non-mobile, and the dependency on the propriety hardware restricts opportunities for transactions to those consumers and merchants with the appropriate, propriety hardware.
The third category of security involves transfer protocol security. Generally, this method incorporates adherence to a protocol directed at one or more logical layers of transport in a networking conceptual model. Usually, the personal credit card data in an online transaction must be encapsulated with computer-readable instructions to transport the data from one location to another; e.g., from application software to application software; from a diskette to a hard drive; or from a personal computer to a merchant's web site. For example, Secure Socket Layer (SSL) protocol utilizes data encryption of the information related to the channel of transmission; i.e., the transmittal information used to encapsulate the personal financial data themselves. This method of security also provides data authentication via digital certificates that offer the consumer and the merchant assurances that they actually are who they claim to be online, and that the data sent between the two is secure.
Alternatively, the security method may employ the security mechanism at any logical layer in a networking model. For example, the U.S. Pat. No. 5,671,279 discloses a security method utilizing a secure connection in the Transmission Control Protocol (TCP) layer of the Open Systems Interconnection (OSI) layered architecture networking model, as developed by the International Standards Organization (ISO) of the current International Telephony Union (ITU). The data encryption portions of this method, however, remain susceptible to breaches of security for all the reasons previously stated. Digitally signed certificates require the involvement of a third-party, the issuer or guarantor of the certificate, and, therefore, build in an additional cost for security.
Summarizing, the current art provides a level of basic security for Internet financial transactions in the form of data encryption. This method, however, does not provide perfect protection against infiltration. Furthermore, the likelihood of infiltration increases over time with any particular encryption algorithm due to the accessibility of the encrypted data to the public. Attempts to buttress security by utilizing third-party services and resources results in excessive costs to the merchant, the consumers, or both. As an additional factor, the combination of security methods often substantially restricts the transactional opportunities of the consumer and the merchant. Some of the methods currently available require significant system resources, resulting in excessive costs to the transacting parties and performance degradation on the systems involved.
From the foregoing, it can be seen that a secure, simple, and cost-effective method for conducting online monetary transactions is needed to keep pace with the ever expanding Internet and the associated transactional opportunities. An advantageous means to this end must provide a highly secure, robust, universal, and cost-effective solution to conduct high-speed transactions over the Internet from virtually any location.